Re: LYNX-DEV Minor security issue with lynx...

From:

Jonathan Sergent

Subject:

Re: LYNX-DEV Minor security issue with lynx...

Date:

Tue, 15 Jul 1997 23:15:36 -0500

] An ISP used to offer anonymous access to lynx-2.3beta through a
] password-less account. While it was locked down pretty tight (no 'g'
] option, etc.) I was able to obtain a shell though the Download menu by
] entering a filename of ';/bin/sh'.
]
] The lynx-cfg lists the following:
]
] DOWNLOADER:Use Zmodem to download to your computer:tmpfile=%s ; szfile= %s ;
] cp $tmpfile $szfile ; sz $szfile ; rm $szfile:TRUE
]
] I've just installed 2.7, and I noticed the suggested code is different, so
] perhaps you fixed this -- just wanted to point it out in case you weren't
] aware.
Newer code (thanks to Fote) quotes the pathnames (and escapes any
quotes contained inside the pathname) before doing an sprintf on the
downloader command. That doesn't mean that it's impossible to write
a downloader that will cause problems, but (guessing here, you should
download it and try) I don't think the supplied downloader definition
with quoted pathnames will allow this. I think this may have been
added as far back as 2.4. The attack described in the CERT bulletin
is fixed in either of the current development trees.
2.3beta is just plain ancient!
The fact that you just installed 2.7 instead of 2.7.1 or 2.7.1+FOTEMODS
is disturbing, as there are a number of bugs in 2.7 that are fixed
plus several feature enhancements.
--jss.
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;